password

Your first school. Your mother’s maiden name. Your favorite color. These are the questions we’re so used to answering when we’ve forgotten a password and need to get back into an account. They’re not a password, yet in many cases have just as much power. Despite this, they’re often based on incredibly insecure information.

Sarah Palin’s Yahoo account is perhaps the best example of this. In September 2008, a Google search netted a birthdate, ZIP code, and where the politician met her spouse. This was enough to reset the account’s password and gain full access to the emails inside.

While we’re not all public figures with our life stories splashed across news articles online, these sort of questions aren’t exactly difficult to answer. Birthdays are celebrated across social media, and the average online quiz would net plenty of other answers. The problem is that these questions offer the same control over an account that a password does, but the answers are not guarded in the same way a password is.

For this reason, I have always used complete gibberish when filling in security questions. Whenever I did forget a password, I was generally lucky enough to solve the problem through a recovery e-mail. Recently, however, my good luck ran out. It was a Thursday evening, and I logged on to check my forex trading account. I realised I hadn’t updated my phone number, which had recently changed.

Upon clicking my way into the account settings, I quickly found that this detail could only be changed by a phone call. I grabbed my phone and dialed, answering the usual name and date of birth questions. I was all set to complete this simple administrative task! I was so excited.

“Thanks Lewin, I’ll just need you to answer your security question.”

“Oh no.”

“The question is… Chutney butler?”

“Yes. Yes it is. Uh…”

“…would you like to guess?”

Needless to say, I didn’t get it.

I was beginning to sweat at this point. To their credit, the call center staffer was particularly helpful, highlighting a number of ways to recover access to the account. Mostly involving a stack of identification documents and a visit to the nearest office. If anything, it was a little reassuring that my account details required such effort to change. Perhaps the cellular carriers of the world could learn a thing or two.

In the end, I realised that I could change my security question with my regular password, and then change the phone number with the new security question. All’s well that ends well.

How do You Deal with Security Questions?

I want to continue taking a high-security approach to my security questions. But as this anecdote shows, you do occasionally need to use them. With that in mind, we’d love to hear your best practices for security questions on accounts that you care about.

Do you store your answers in a similar way to your passwords, using high entropy to best security? When you are forced to use preselected questions do you answer honestly or make up nonsensical answers (and how do you remember what you answered from one account to the next)? When given the option to choose your own questions, what is your simple trick that ensures it all makes sense to you at a later date?

We’d love to hear your best-practice solutions in the comments. While you ponder those questions, one mystery will remain, however — the answer to the question that nobody knows: Chutney butler?

There will be no special badges for DEFCON. Everyone will still have badges — and our expectations are tempered because of the one year on / one year off schedule for electronic badges — there just won’t be mind-bending puzzles wrapped up in the official badges. What this means: it probably won’t matter if you’re late for linecon, and someone in the DEFCON hive mind still has a Facebook. Also, DEFCON is canceled.

In the past, we have decried the very existence of fidget spinners. It’s what the kids are into, after all. However, an electronic fidget spinner is an interesting engineering challenge. It combines the mechanical fun of bearing science, the exacting precision of balancing stuff, and stuffing electronics where no electronics should be. This Kickstarter is perhaps the best electronic fidget spinner we’ve seen. The electronics are powered by a coin cell and are packed into one of the spaces for the ‘wing’ bearings, and two additional weighted bearings allow the spinner to balance. There’s a small magnet for a hall effect sensor in the ‘stator cap’ so RPM can be measured. This design uses the most common mold for a fidget spinner, making it very manufacturable. Compare this design to the Internet of Fidget Spinners, a POV fidget Spinner, another POV fidget spinner, an educational electronic fidget spinner, or this amazing technique to measure the speed of a fidget spinner that will blow your mind, and you’ll see this Kickstarter project is clearly the superior design.

You kids are spoiled with your programmable drum machines like your 808 and 909. Back in the day, drum machines were attached to organs, and only had a few patterns. You couldn’t change the patterns, you could only change the speed. [Jan] has created one of these prehistoric drum machines in a microcontroller. You get hard rock, disco, reggae, rock, samba, rumba, cha-cha, bossa nova, beguine, synthpop, boogie, waltz, jazz rock, and slow rock. Awesome.

Do you need a new password? Humans really aren’t good at coming up with random numbers, and if you need a completely random alphanumeric password, it’s best left to a computer. Have no fear, because there’s now a website that generates the single most secure password on the planet. This password, “H4!b5at+kWls-8yh4Guq”, features upper and lowercase characters, numbers, symbols, and twenty unique characters. This password was developed by security researchers and encryption specialists in Europe, so you know it has absolutely nothing to do with the NSA, CIA, or any other American three-letter agency.

Speaking of three-letter agencies, last Wednesday was International Selfie Day! That doesn’t mean you still can’t get in on the action. Take a selfie right now and upload it to social media! What’s facial recognition?

Looking for a great little ESP32 breakout board with all the bells and whistles? Olimex has a new board out with Ethernet, a MicroSD card slot, and 20 GPIOs broken out.

A couple of weeks back a report came out where [Tavis Ormandy], a widely known security researcher for Google Project-Zero, showed how it was possible to abuse Lastpass RPC commands and steal user passwords. Irony is… Lastpass is a software designed to keep all your passwords safe and it’s designed in a way that even they can’t access your passwords, the passwords are stored locally using strong cryptography, only you can access them via a master-key. Storing all your passwords in only place has its downfalls. By the way, there is no proof or suggestion that this bug was abused by anyone, so if you use Lastpass don’t worry just yet.

But it got me thinking, how worried and how paranoid should a regular Internet user should be about his password? How many of us have their account details exposed somewhere online? If you’ve been around long enough, odds are you have at least a couple of accounts on some major Internet-based companies. Don’t go rushing into the Dark Web and try to find if your account details are being sold. The easiest way to get your paranoia started is to visit Have I Been Pwned. For those who never heard about it, it’s a website created by [Troy Hunt], a well-known security professional. It keeps track of all known public security breaches he can get his hands on and provides an answer to a simple question: “Was my account in any major data leak?” Let’s take a look.

Anytime you’re having more than a handful of people over to your place for a wild rager or LAN party (or both), you’ll generally need a way to make sure everyone can get their devices on the network. Normally, this would involve either putting your WiFi password into more phones than you can count or yelling your password across a crowded room. Neither of these options suited [NicoHood] and his partner, however, so he came up with another more secure solution to the WiFi-in-a-crowded-room problem.

He calls his project “guestwlan” and it’s set up to run on a Raspberry Pi with a touch screen. When a potential WiFi user approaches the Pi and requests access to the network, the Pi displays a QR code. Within that code is all of the information that the prospective device needs to connect to the network. For those who have already spotted the new security vulnerability that this creates, [NicoHood] has his guest WiFi on a separate local network just to make sure that even if someone nefarious can access the Internet, it would be more difficult for them to do anything damaging to his local network. As it stands, though, it’s a lot more secure than some other WiFi networks we’ve seen.

[NicoHood] also released his software on Git but it has been configured for use with Arch. He says that it would probably work in a Debian environment (which the Raspberry Pi-specific OS is based on) but this is currently untested. Feel free to give it a try and let us know how it goes.

As he states in his deeply weird (though in no way wrong) channel intro, when he’s not driving a bus or teaching Israeli dance, he works hard to understand the things around him. Naturally, a mysterious phone number shaped set of digits in a favorite game was a secret worth extracting.

The digits can represent every possible state in the game. It uses a pretty simple decoding and encoding scheme, which he walks through. As he says, it all becomes clear when you can see the source code.

After working through all the quirks he is able to arbitrarily generate any state in the game and handle the exceptions (such as Nintendo USA’s phone number). You can see all his code here and try it out for yourself. Video after the break.

After a tough summer of botnet attacks by Internet-of-Things things came to a head last week and took down many popular websites for folks in the eastern US, more attention has finally been paid to what to do about this mess. We’ve wracked our brains, and the best we can come up with is that it’s the manufacturers’ responsibility to secure their devices.

Chinese DVR manufacturer Xiongmai, predictably, thinks that the end-user is to blame, but is also consenting to a recall of up to 300 million 4.3 million of their pre-2015 vintage cameras — the ones with hard-coded factory default passwords. (You can cut/paste the text into a translator and have a few laughs, or just take our word for it. The company’s name gets mis-translated frequently throughout as “male” or “masculine”, if that helps.)

Xiongmai’s claim is that their devices were never meant to be exposed to the real Internet, but rather were designed to be used exclusively behind firewalls. That’s apparently the reason for the firmware-coded administrator passwords. (Sigh!) Anyone actually making their Internet of Things thing reachable from the broader network is, according to Xiongmai, being irresponsible. They then go on to accuse a tech website of slander, and produce a friendly ruling from a local court supporting this claim.

Whatever. We understand that Xiongmai has to protect its business, and doesn’t want to admit liability. And in the end, they’re doing the right thing by recalling their devices with hard-coded passwords, so we’ll cut them some slack. Is the threat of massive economic damage from a recall of insecure hardware going to be the driver for manufacturers to be more security conscious? (We kinda hope so.)

Meanwhile, if you can’t get enough botnets, here is a trio of recent articles (one, two, and three) that are all relevant to this device recall.